cafe-grader-web Commit - r755:17c54fa350f2

cafe-grader-web

Commit `r755:17c54fa350f2` public

parent | child

Description:

add ip whitelisting

Commit status:

[Not Reviewed]

References:

algo

Diff options:

| | | |

Comments:

0 Commit comments 0 Inline Comments

Unresolved TODOs:

There are no unresolved TODOs

Add another comment

r755:17c54fa350f2 - Sun, 07 Jul 2019 08:12:52 - 2 files changed: 49 inserted, 7 deleted

app/controllers/application_controller.rb ¶ +36 -7

+            + require 'ipaddr'
+            +
               class ApplicationController < ActionController::Base
                 protect_from_forgery
                 before_action :current_user
                 SINGLE_USER_MODE_CONF_KEY = 'system.single_user_mode'
                 MULTIPLE_IP_LOGIN_CONF_KEY = 'right.multiple_ip_login'
+            +   ALLOW_WHITELIST_IP_ONLY_CONF_KEY = 'right.allow_whitelist_ip_only'
+            +   WHITELIST_IP_CONF_KEY = 'right.whitelist_ip'
                 #report and redirect for unauthorized activities
                 def unauthorized_redirect
                   flash[:notice] = 'You are not authorized to view the page you requested'
                   redirect_to :controller => 'main', :action => 'login'
                 end
                 # Returns the current logged-in user (if any).
                 def current_user
                   return nil unless session[:user_id]
                   @current_user ||= User.find(session[:user_id])
                 end
                 def admin_authorization
                   return false unless authenticate
                   user = User.includes(:roles).find(session[:user_id])
                   unless user.admin?
                     unauthorized_redirect
                     return false
                   end
                   return true
                 end
                 def authorization_by_roles(allowed_roles)
                   return false unless authenticate
                   user = User.find(session[:user_id])
                   unless user.roles.detect { |role| allowed_roles.member?(role.name) }
                     unauthorized_redirect
                     return false
                   end
                 end
                 def testcase_authorization
                   #admin always has privileged
                   if @current_user.admin?
                     return true
                   end
                   unauthorized_redirect unless GraderConfiguration["right.view_testcase"]
                 end
+            +
                 protected
+            +   #redirect to root (and also force logout)
+            +   #if the user is not logged_in or the system is in "ADMIN ONLY" mode
                 def authenticate
                   unless session[:user_id]
                     flash[:notice] = 'You need to login'
                     if GraderConfiguration[SINGLE_USER_MODE_CONF_KEY]
                       flash[:notice] = 'You need to login but you cannot log in at this time'
                     end
                     redirect_to :controller => 'main', :action => 'login'
                     return false
                   end
                   # check if run in single user mode
                   if GraderConfiguration[SINGLE_USER_MODE_CONF_KEY]
-            -       if @current_user==nil or (not @current_user.admin?)
+            +       if @current_user==nil || (not @current_user.admin?)
                       flash[:notice] = 'You cannot log in at this time'
                       redirect_to :controller => 'main', :action => 'login'
                       return false
                     end
-            -       return true
                   end
                   # check if the user is enabled
-            -     unless @current_user.enabled? or @current_user.admin?
+            +     unless @current_user.enabled? || @current_user.admin?
                     flash[:notice] = 'Your account is disabled'
                     redirect_to :controller => 'main', :action => 'login'
                     return false
                   end
+            +     # check if user ip is allowed
+            +     unless @current_user.admin? || !GraderConfiguration[ALLOW_WHITELIST_IP_ONLY_CONF_KEY]
+            +       unless is_request_ip_allowed?
+            +         flash[:notice] = 'Your IP is not allowed'
+            +         redirect_to root_path
+            +       end
+            +     end
+            +
                   if GraderConfiguration.multicontests?
                     return true if @current_user.admin?
                     begin
                       if @current_user.contest_stat(true).forced_logout
                         flash[:notice] = 'You have been automatically logged out.'
                         redirect_to :controller => 'main', :action => 'index'
                       end
                     rescue
                     end
                   end
                   return true
                 end
+            +   #redirect to root (and also force logout)
+            +   #if the user use different ip from the previous connection
+            +   #  only applicable when MULTIPLE_IP_LOGIN options is false only
                 def authenticate_by_ip_address
                   #this assume that we have already authenticate normally
                   unless GraderConfiguration[MULTIPLE_IP_LOGIN_CONF_KEY]
                     user = User.find(session[:user_id])
-            -       if (not user.admin? and user.last_ip and user.last_ip != request.remote_ip)
+            +       if (not @current_user.admin? && user.last_ip && user.last_ip != request.remote_ip)
                       flash[:notice] = "You cannot use the system from #{request.remote_ip}. Your last ip is #{user.last_ip}"
                       redirect_to :controller => 'main', :action => 'login'
                       puts "CHEAT: user #{user.login} tried to login from '#{request.remote_ip}' while last ip is '#{user.last_ip}' at #{Time.zone.now}"
                       return false
                     end
                     unless user.last_ip
                       user.last_ip = request.remote_ip
                       user.save
                     end
                   end
                   return true
                 end
                 def authorization
                   return false unless authenticate
                   user = User.find(session[:user_id])
                   unless user.roles.detect { |role|
                       role.rights.detect{ |right|
                         right.controller == self.class.controller_name and
-            -             (right.action == 'all' or right.action == action_name)
+            +             (right.action == 'all' || right.action == action_name)
                       }
                     }
                     flash[:notice] = 'You are not authorized to view the page you requested'
                     #request.env['HTTP_REFERER'] ? (redirect_to :back) : (redirect_to :controller => 'login')
                     redirect_to :controller => 'main', :action => 'login'
                     return false
                   end
                 end
                 def verify_time_limit
                   return true if session[:user_id]==nil
                   user = User.find(session[:user_id], :include => :site)
-            -     return true if user==nil or user.site == nil
+            +     return true if user==nil || user.site == nil
                   if user.contest_finished?
                     flash[:notice] = 'Error: the contest you are participating is over.'
                     redirect_to :back
                     return false
                   end
                   return true
                 end
+            +   def is_request_ip_allowed?
+            +     if GraderConfiguration[ALLOW_WHITELIST_IP_ONLY_CONF_KEY]
+            +       user_ip = IPAddr.new(request.remote_ip)
+            +       GraderConfiguration[WHITELIST_IP_LIST_CONF_KEY].delete(' ').split(',').each do |ips|
+            +         allow_ips = IPAddr.new(ips)
+            +         unless allow_ips.includes(user_ip)
+            +           return false
                       end
+            +       end
+            +     end
+            +     return true
+            +   end
+            +
+            + end

db/seeds.rb ¶ +13

                    :default_value => 'false'
                  },
                  {
                    :key => 'contest.confirm_indv_contest_start',
                    :value_type => 'boolean',
                    :default_value => 'false'
                  },
                  {
                    :key => 'contest.default_contest_name',
                    :value_type => 'string',
                    :default_value => 'none',
                    :description => "New user will be assigned to this contest automatically, if it exists.  Set to 'none' if there is no default contest."
                  },
                  {
                    :key => 'system.use_problem_group',
                    :value_type => 'boolean',
                    :default_value => 'false',
                    :description => "If true, available problem to the user will be only ones associated with the group of the user."
                  },
+            +    {
+            +      :key => 'right.whitelist_ip_only',
+            +      :value_type => 'boolean',
+            +      :default_value => 'false',
+            +      :description => "If true, non-admin user will be able to use the system only when their ip is in the 'whitelist_ip'."
+            +    },
+            +
+            +    {
+            +      :key => 'right.whitelist_ip',
+            +      :value_type => 'string',
+            +      :default_value => '0.0.0.0/0',
+            +      :description => "list of whitelist ip, given in comma separated CIDR notation. For example '161.200.92.0/23, 161.200.80.1/32'"
+            +    },
                 ]
               def create_configuration_key(key,
                                            value_type,
                                            default_value,
                                            description='')
                 conf = (GraderConfiguration.find_by_key(key) ||
                         GraderConfiguration.new(:key => key,
                                           :value_type => value_type,
                                           :value => default_value))
                 conf.description = description
                 conf.save
               end
               def seed_config
                 CONFIGURATIONS.each do |conf|
                   if conf.has_key? :description
                     desc = conf[:description]
                   else
                     desc = ''
                   end
                   create_configuration_key(conf[:key],

Write
Preview

You need to be logged in to leave comments. Login now

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository permissions settings

Sign in to your account

Author

r755:17c54fa350f2 - Sun, 07 Jul 2019 08:12:52 - 2 files changed: 49 inserted, 7 deleted

Sign in to your account

Commit r755:17c54fa350f2 public

Author

r755:17c54fa350f2 - Sun, 07 Jul 2019 08:12:52 - 2 files changed: 49 inserted, 7 deleted

Commit `r755:17c54fa350f2` public